PayMaxx Closes W-2 Site after Security Hole
Found

February 25, 2005 (PLANSPONSOR.com) - Online payroll
service provider PayMaxx closed its automated W-2 site this
week after a researcher claimed that two security holes had
exposed data on more than 25,000 people.

Aaron Greenspan, president of Think Computer,
asserted in a paper posted on his firm’s Web site that
the security problems at PayMaxx allowed all site viewers
view the W-2 forms generated for employees of PayMaxx’s
clients for the last five years, according to a CNET
News.com report.

Greenspan, a former PayMaxx customer, said he
discovered the alleged problems in the company’s system
more than two weeks ago, after he received notification
that his W-2 tax form was available online for download
and printing. He said he found the problem when the link
to access the W-2 included an ID number and he wondered
whether the company had protected against an obvious
security problem: adding one to the ID number to get the
next form.

According to the CNET News report, Greenspan found
that another person’s W-2 was downloaded and readable.
The vulnerability could have allowed employees at
PayMaxx’s clients to access more than 25,000 W-2 forms
for last year and the W-2 forms for years back to 2000,
he said.

PayMaxx told CNET that a third-party security
company was investigating the allegations. “No system in
the world is 100% secure from a sophisticated and
determined hacker,” the Tennessee-based payroll company
said in a statement sent to CNET News.com. “PayMaxx has
made and continues to make every effort to secure its
system against any breach.”

Greenspan said his investigation also revealed that
PayMaxx’s database contained a record for testing that
contained a Social Security number of 000-00-0000 and a
password of all zeros. That could allow anyone to log
into the site and then use the lack of authentication to
sequentially download all the W-2 forms, Greenspan
said.

PayMaxx confirmed that the test account did exist
as described in Greenspan’s paper, but took issue with
other allegations. The company stated that from a review
of Greenspan’s paper, it had found several of his claims
to be inaccurate, but did not specify which
claims.